Electronic toy manufacturer VTech confirmed on Friday a data breach which has affected nearly 5 million of its customers. The data theft includes sensitive information about children and their parents.
Following the hack, VTech has stopped its trading activities on the Hong Kong Stock Exchange along with suspending 13 of its websites. A company’s spokesperson has confirmed that an “unauthorized party” accessed its Learning Lodge app database on November 14.
The breach was initially confirmed by security analyst Troy Hunt, who found that 4.8 million customer records were stolen along with over 227,000 children’s records. According to Hunt, users’ account passwords were not encrypted as the company claims. He verified a sample of the stolen data leaked over the Internet, which includes sensitive user information such as names, genders, date of births along with addresses.
“The investigation continues as we look at additional ways to strengthen our Learning Lodge database security. We are committed to protecting our customer information and their privacy, to ensure against any such incidents in the future,” said VTech in a statement.
Though Hunt seems to be extremely concerned by the breach given the fact that children accounts also have been compromised. “When it’s hundreds of thousands of children including their names, genders and birthdates, that’s off the charts,” he added.
While according to a security expert at Surrey University Professor Alan Woodward, the data hack of the Hong Kong-based toy manufacturer may just have been a case of simple hacking technique called SQL injection.
“If that is the case then it really is unforgivable – it is such an old attack that any standard security testing should look for it. If initial reports are correct then they should be taking their website connection to their databases offline immediately until they can discover how this was done and correct the issue”, said Woodward.